In this case there is no involvement of end user, so that User Experience part is irrelevant here.

Important to mention on when to use what for token signing. As per Token Signing:

Add an X.509 certificate signing credential if you are using the Windows Identity Foundation (WIF) in your relying party application.

Add a 256-bit symmetric signing key if you are building an application that uses OAuth WRAP.

These keys or certificates are used to protect tokens from tampering while on transit. These certificates and keys are not for authentication. They help maintaining trust between Azure AppFabric Access Control Service (ACS) and the Web Service.

Try out yourself using bootstrap samples available here:

ASP.NET Simple Service: A very simple ASP.NET web service that uses ACS for authentication and simple authorization